Known-Deployed File Metadata Repository and Analysis Engine

ABSTRACT

A known-deployed file metadata repository (KDFMR) and analysis engine enumerates reference lists of files stored on a software delivery point (SDP) and compares the enumerated list of files and associated metadata to previously stored values in the KDFMR. If newly stored or modified files are identified, the analysis engine acquires the files from the SDP. Each file is analyzed to determine whether the file is an atomic file or a container file and metadata is generated or extracted. Each file stored in a container file is recursively extracted and analyzed, where metadata is generated for each extracted file and each container file. The KDFMR periodically analyzes the files stored on the SDP for differences to maintain the currency of the KDFMR data with respect to files stored on the SDP. Storage or modification of files on the SDP triggers analysis of the associated file. KDFMR data is updated with metadata determined based on sandbox detonation of files and/or identified artifacts of known-deployed files.

BACKGROUND

In an attempt to keep ahead of enterprise security measures, attackerscontinually adapt their methods in an attempt to keep ahead of theability of enterprise network security procedures. Because sophisticatedmeans of intercepting encrypted files are currently available,perpetrators may focus on alternative ways of avoiding data security.Often, Cyber-security detection and response processes involvedifferentiating permissible, expected or otherwise benign behaviors fromvarious observed behaviors that are generated by an adversary and/or byan insider threat. On a host endpoint computing device under review thismay be difficult. Often, this may require that security systems todetermine which artifacts (e.g., binary files, scripts, and the like)have been introduced to the system by an outside malicious user or whichartifacts have been leveraged for malign intent such as by usingso-called “Living off the Land Binaries and Scripts” (LOLBAS) against abackground of pre-existing and non-relevant artifacts.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of some aspects of the disclosure. The summary is not anextensive overview of the disclosure. It is neither intended to identifykey or critical elements of the disclosure nor to delineate the scope ofthe disclosure. The following summary merely presents some concepts ofthe disclosure in a simplified form as a prelude to the descriptionbelow.

Aspects of the disclosure provide effective, efficient, scalable, andconvenient technical solutions that address and overcome the technicalproblems associated with identification and deployment of files that areknown to be approved and centrally deployed within that environment. Aknown-deployed file metadata repository (KDFMR) and analysis engineenumerates reference lists of files stored on a software delivery point(SDP) and compares the enumerated list of files and associated metadatato previously stored values in the KDFMR. If newly stored or modifiedfiles are identified, the analysis engine acquires the files from theSDP. Each file is analyzed to determine whether the file is an atomicfile or a container file and metadata is generated or extracted. Eachfile stored in a container file is recursively extracted and analyzed,where metadata is generated for each extracted file and each containerfile. The KDFMR periodically analyzes the files stored on the SDP fordifferences to maintain the currency of the KDFMR data with respect tofiles stored on the SDP. Storage or modification of files on the SDPtriggers analysis of the associated file. KDFMR data is updated withmetadata determined based on sandbox detonation of analyzed files.

These features, along with many others, are discussed in greater detailbelow.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 shows an illustrative computing environment implementing aknown-deployed file repository and analysis system in accordance withone or more aspects described herein;

FIG. 2 shows an illustrative method for generation and use of aknown-deployed file repository in accordance with one or more aspectsdescribed herein;

FIG. 3 shows an illustrative operating environment in which variousaspects of the disclosure may be implemented in accordance with one ormore aspects described herein; and

FIG. 4 shows an illustrative block diagram of workstations and serversthat may be used to implement the processes and functions of certainaspects of the present disclosure in accordance with one or more aspectsdescribed herein.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the present disclosure.

It is noted that various connections between elements are discussed inthe following description. It is noted that these connections aregeneral and, unless specified otherwise, may be direct or indirect,wired or wireless, and that the specification is not intended to belimiting in this respect.

As used throughout this disclosure, computer-executable “software anddata” can include one or more: algorithms, applications, applicationprogram interfaces (APIs), attachments, big data, daemons, emails,encryptions, databases, datasets, drivers, data structures, file systemsor distributed file systems, firmware, graphical user interfaces,images, instructions, machine learning (i.e., supervised,semi-supervised, reinforcement, and unsupervised), middleware, modules,objects, operating systems, processes, protocols, programs, scripts,tools, and utilities. The computer-executable software and data is ontangible, computer-readable memory (local, in network-attached storage,or remote), can be stored in volatile or non-volatile memory, and canoperate autonomously, on-demand, on a schedule, and/or spontaneously.

“Computer machines” can include one or more: general-purpose orspecial-purpose network-accessible administrative computers, clusters,computing devices, computing platforms, desktop computers, distributedsystems, enterprise computers, laptop or notebook computers, primarynode computers, nodes, personal computers, portable electronic devices,servers, node computers, smart devices, tablets, and/or workstations,which have one or more microprocessors or executors for executing oraccessing the computer-executable software and data. References tocomputer machines and names of devices within this definition are usedinterchangeably in this specification and are not considered limiting orexclusive to only a specific type of device. Instead, references in thisdisclosure to computer machines and the like are to be interpretedbroadly as understood by skilled artisans. Further, as used in thisspecification, computer machines also include all hardware andcomponents typically contained therein such as, for example, processors,executors, cores, volatile and non-volatile memories, communicationinterfaces, etc.

Computer “networks” can include one or more local area networks (LANs),wide area networks (WANs), the Internet, wireless networks, digitalsubscriber line (DSL) networks, frame relay networks, asynchronoustransfer mode (ATM) networks, virtual private networks (VPN), or anycombination of the same. Networks also include associated “networkequipment” such as access points, ethernet adaptors (physical andwireless), firewalls, hubs, modems, routers, and/or switches locatedinside the network and/or on its periphery, and software executing onthe foregoing.

The above-described examples and arrangements are merely some examplearrangements in which the systems described herein may be used. Variousother arrangements employing aspects described herein may be usedwithout departing from the invention.

In the past, when a new software version or build was prepared forrelease, a build or executable may be uploaded to a distribution server(e.g., an FTP server) for distribution. As an example, early softwarerelease management may have been as simple as performing a build,uploading the results to a FTP server, updating a web site, and/orcommunicating that a new release was ready for download via an email orother message. Today, however, due at least in part to securityconsiderations and/or software complexity, software packages and/orreleases performed by enterprise organizations may utilize releasemanagement and artifact repositories to deliver software andinfrastructure today. Some software or artifact repositories, such assoftware distribution points, may support secure deployments ofartifacts for multiple machines and/or installations, sometimessupporting continuous delivery, to multiple data centers via aworld-wide network.

For software development, an artifact may be any deliverable associatedwith a project (e.g., documentation, executable code, and the like) andmay be stored in the form of a large binary package. An artifact mayhelp to describe software functionality, architecture, and/or itsdesign. Illustrative examples of artifacts may include, but are notlimited to, source code, meeting notes, workflow diagrams, data models,risk assessments, use cases, prototypes, a compiled application, and thelike. During development, an artifact list or plan may be developed toinclude all artifacts that may be required for a project. Such artifactsmay be shared via a shared drive, an artifact repository, a softwaredistribution point and the like. Artifact repositories or softwaredistribution points may be used to store, version and/or deployartifacts for builds. In some cases, artifact repositories may bedesigned to store many types of files, such as from binary files tocontainers. Illustrative artifact repositories may be a locally managedrepository, a remote (or caching) repository may be managed at a remotelocation and accessed via a universal resource locator (URL). In somecases, a repository (e.g., a virtual repository) may be a combination offeatures of a local repository and a remote repository and may beaccessed via a common URL.

A deployment artifact (or a build) may be the application code as itruns on production after it is compiled, built, bundled, minified,optimized, and/or the like. In some cases, the deployment artifact maybe a single binary. Sometimes the deployment artifact may be multiplefiles compressed in an archive or other container. The artifact can bestored and/or versioned.

An artifact may be configured and designed to be downloaded quickly ontoa server, and run immediately, with no service interruption. Further,artifacts may be configurable to be deployable on any environment. Forexample, if an artifact is to be deployed onto a staging server and aproduction server, the same artifact can be used for bothdeployments—only the configuration must change, not the artifact.

In some cases, artifact repositories or software distribution points maystore one or more types of artifacts, such as release artifacts andsnapshot artifacts. A release repository may be used to store releaseartifacts which are static or otherwise stable. Snapshot repositories,on the other hand, may be used to store snapshot artifacts (e.g., binarysoftware artifacts) which may be frequently updated while projects undergo development. In some cases, a repository may serve as a combinedrelease repository and snapshot repository. In some cases, otherrepositories may be segmented to server a particular purpose, such asfor release or development purposes and may maintain different standardsand/or procedures for deploying artifacts. In some cases, a releaserepository or software development point may be considered to be aproduction network for support of released software products. A snapshotrepository may be considered to be a development or a testing network.Release repositories and/or software distribution points may formalizeprocedures to support product deployments. Snapshot repositories orsoftware distribution points may allow snapshot artifacts to be deployedand/or changed frequently with or without regard for stability andrepeatability concerns. Once published or stored in an artifactrepository or software development point, an artifact and the metadatadescribing that artifact, particularly of release artifacts, do notchange. As a result, projects that depend from such stable artifactswill be repeatable and stable overtime. In some cases, an organizationmay utilize a central software distribution points and/or mirroredrepositories

A release artifact may be an artifact which was created by or for aspecific, versioned release. Further, released artifacts may be solid,stable, and/or perpetual to guarantee that builds that depend upon thereleased artifacts are solid and repeatable over time. In some cases, areleased artifact may further be associated with metadata that mayinclude a signature (e.g., a PGP signature), a hash or checksum (e.g.,an MD5 hash and SHA checksum). Such metadata may be used to provideinformation about the artifact, software associated with the artifact,and/or may be used to verify one or both of authenticity and integrityof the associated binary software artifact.

Snapshot artifacts may be artifacts generated during the development ofa software project. In some cases, snapshot artifacts (as well asrelease artifacts) may include metadata such as a version number, atimestamp, a signature, a checksum or hash, and the like. In some cases,version information and/or timestamp information may also be included inan artifact's name.

In some cases, artifact repositories or software distribution points mayalso associate metadata to assist in classifying and/or organizingartifacts. For example, artifact metadata may include a group identifierthat may be used to organize artifacts into logical groups, such as byorganization, software development group, associated application type,and the like. Artifact metadata may include artifact identifiers thatmay be used to identify an associated software component (e.g., anapplication, a library, and the like). Artifact metadata may furtherinclude versioning metadata that may be used to identify major releaseversions, minor release versions, iterative (e.g., point) releaseversions. In some cases, versioning metadata may also include a releasestatus identifier (e.g., alpha, beta) such as to identify a testingstage. In some cases, the artifact metadata may further include apackaging identifier that may be used to identify whether an artifactcorresponds to a single binary package or a container that containsmultiple binary artifacts. The container may be any type of binarypackaging format (e.g., zip, swc, swf, war, and the like). Additionalmetadata may further include a project object model, or other similaridentifier, that may be used to describe or otherwise identify theartifact and any dependencies required for the associated artifact.

Because artifacts have become ubiquitous, cybersecurity detection andresponse processes have evolved to differentiate observed behavior bymalicious users or insider threats to those that are permissible,expected or otherwise benign. When a host endpoint is under review, acybersecurity computing device may analyze data stored on or used by thehost endpoint to differentiate between artifacts—including binary filesand scripts—that have been introduced to the system by the adversaryand/or have been leveraged for malign intent such as by LOLBAS from abackground of pre-existing and benign artifacts. Approaches to thisrequirement may include a comparison of the cryptographic hashes fordiscovered artifacts against public sandbox data to identify differentclassifications of artifacts (e.g., “known-bad”, “known-good”, “known”,“seen” and the like) such as by utilizing static or periodically updatedreference sets such as the National Software Reference Library (NSRL)which may be used to identify “known” artifacts. Some approaches mayinclude periodically calculating and/or identifying “Least FrequentOccurrence” of hashes observed in an environment, where the premise isthat adversary artifacts may be rarer than benign artifacts. In somecases, centralized outputs of host-based agents that monitor artifactcreation and/or use may be leveraged to identify artifacts that wereobserved in the environment, a location of use, and/or a frequency ofuse.

Each of approach may be limited in one or more of the followingrespects. Artifact hashes are not specific to the environment of thehost endpoint under review, so that benign artifacts that are custom orrare are likely not represented in the reference sets and often have tobe manually accounted for. Artifact hashes are not specific to theenvironment of the host endpoint under review so that a presence of anartifact does not necessarily imply that that particular artifact ispermitted or expected. Artifact hashes may not be updated on sufficientfrequency to account for legitimate changes to the environment at scale.While artifacts may be identified in a particular software distributionpoint or other computing device, artifact hashes observed in a specificenvironment may not identify how the artifact came to be present on thehost endpoint. While adversary or malicious artifacts may be rare in anenvironment, the converse is not true. Rare does not imply malice,because many rare benign artifacts may exist for various legitimatereasons. Further, adversary artifacts may not be rare either,particularly if highly privileged credentials have been obtained for theenvironment and/or worm capabilities are in effect. Legitimate artifacthashes that are associated with known and/or approved software andconfigurations may not be labelled to identify that the artifact alsohas a known adversary use (e.g., a LOLBAS status) so that such artifactsmay be filtered from analysis and overlooked during or at least nothighlighted for such analysis.

As organizations are increasingly mandating and implementing centralizedoperating system and software deployment and inventory mechanisms, suchas software distribution points (SDPs), and applying policy andtechnical controls to limit artifact acquisition outside of SDPs, anopportunity exists to leverage artifact metadata gathered by suchmechanisms while establishing a status of an observed artifact as being“known-deployed” and by implication expected and approved—rather thanmerely “seen” or “known”.

A known-deployed file metadata repository (KDFMR) and analysis enginemay be configured to identify and/or correlate identified artifactcryptographic hashes and/or other metadata of artifact entries withevent log and/or security sensor output that may be captured by theSDPs. While metadata storage technology and/or a format used by asoftware distribution point may be proprietary and/or problematic toaccess, query and/or extend to allow for required security analysis, theKDFMR and analysis engine may be capable of being adapted and/or may beextended via software development kits and/or an application programminginterface to interface with newly encountered or developed formats, ortechnologies. Additional problems overcome by the KDFMR and analysisengine may include that multiple Software Distribution Pointtechnologies and/or mechanisms may be installed and operational in acomputing environment used by different subsets of host endpoints suchthat no single platform contains a complete view across a completeenterprise computing environment and/or such that the metadata entriesare irregular and/or partial with respect to each different SoftwareDistribution Point technology. The KDFMR and analysis engine addressesand resolves such identified problems by providing a consistent set ofmethods and systems to generate and store necessary metadata to enableanalytic separation of known-deployed artifacts from those not known tobe approved and centrally deployed, including those introduced byadversary activity. Further, the KDFMR and analysis engine provides forextension of the metadata that was identified so that the KDFMR and mayreflect potential adversary use, a LOLBAS status, and/or other metadatathat may be used to facilitate and expedite analysis during detectionand response.

FIG. 1 shows an illustrative computing environment 100 implementing aknown-deployed file metadata repository and analysis system inaccordance with one or more aspects described herein. The computingenvironment 100 may include a known-deployed file metadata repository(KDFMR) and analysis server 110, a software distribution point 120, asandbox computing system 130, one or more software source systems 170,and/or one or more host computing devices 180. The KDFMR and analysisserver 110, the software distribution point 120, the sandbox computingsystem 130, the one or more software source systems 170, and/or one theor more host computing devices 180 may be communicatively coupled via anetwork 105.

The KDFMR and analysis server 110 may include a processor 114 or aplurality of processors, for controlling overall operation of the KDFMRand analysis server 110 and its associated components, including the oneor more memory devices (not shown) (e.g., a non-transitory memorydevice, a random-access memory (RAM) device, a read only memory (ROM),and the like), an input/output (I/O) interface or I/O devices, and thelike. The KDFMR and analysis server 110 may communicate with one or moreexternal devices, such as the software distribution point 120, thesandbox computing system 130, the one or more software source systems170, and/or one the or more host computing devices 180 via the network105, a telecommunications network, an enterprise network and the likevia the communication interface 112. Network connections that may becommunicatively coupled to the communication interfaces 407 may includea local area network (LAN) and/or a wide area network (WAN), a wirelesstelecommunications network, a wired communications network and/or mayalso include other communications networks. When used in a LANnetworking environment, the KDFMR and analysis server 110 may beconnected to one or more communications networks (e.g., the network 105)through a network interface or adapter. When used in a WAN networkingenvironment, the KDFMR and analysis server 110 and/or the communicationinterface 112 may include a modem or other means for establishingcommunications over the WAN, such as the Internet, a cellular network,and the like. When used in a wireless telecommunications network, theKDFMR and analysis server 110 may include one or more transceivers,digital signal processors, and additional circuitry and software forcommunicating with wireless computing devices via one or more networkdevices (e.g., base transceiver stations) in the wireless network.

The KDFMR and analysis server 110 may store one or more datarepositories, such as the KDFMR repository 113, the data store 117,and/or the like. The KDFMR and analysis server 110 may also processinstructions to provide analysis and security functions for deployedartifacts by enabling operation of an analysis engine 116. The analysisengine 116 may leverage multiple software distribution point (SDP)technologies within the computing environment 100 to provide a vendoragnostic interface with a plurality of SDP technologies provided bydifferent vendors. In doing so, the KDFMR and analysis server 110 mayleverage the various SDP technologies deployed within the computingenvironment 100 to source files that are known to be approved andcentrally deployed within that environment. Because each SDP technologymay utilize a different, or multiple, access protocols the KDFMR andanalysis takes a modular approach to acquiring the files according towhich protocols are in use for the particular SDP 120.

The known-deployed file metadata repository 113 may, for example, be adatabase used to store metadata associated with a plurality of artifactsmanaged via one or more software distribution points, such as the SDP120. The KDFMR 113 may include a plurality of data structures storingartifact metadata including, for example, a file name, a file creationdate, a modification date, a checksum or hash value, an indication offiles associated with artifact, an indication of a software distributionpoint, an indication of a software application associated with theartifact, an indication of a source of the artifact, an indication thatthe artifact is a known artifact, an indication that the associatedartifact is known to have been deployed safely within the computingenvironment 100 or other associated enterprise computing environments,and the like. The analysis engine 116 may analyze files stored on one ormore SDPs, such as the software distribution point 120, to determinewhether an artifact can safely be deployed within the computingenvironment, such as by using the method(s) discussed below with respectto FIG. 2.

The data store 117 may include additional information corresponding toartifacts and/or artifact identification. Such information may beleveraged by the analysis engine when evaluating existing, changedand/or newly deployed artifacts. For example, artifacts 123 mayrepresent previously existing and analyzed artifacts stored within theSDP 120 and artifacts 127 may represent newly stored or modifiedartifacts that need to be analyzed before deployment can becontemplated. In some cases, the data store 117 may store metadata, suchas file names, file dates, hashes and/or checksums associated with“known” artifacts that have been identified by a standards organizationand/or the enterprise itself. For example, the data store 117 may storeinformation obtained from the National Software Reference Library(NSRL), which archives copies of the world's most widely installedsoftware titles. The NSRL is maintained by the National Institute ofStandards and Technology (NIST) to allow cybersecurity and forensicsexperts to track an immense and ever-growing volume of software on theworld's computers, mobile phones and other digital devices. Othersimilar collections may also be leveraged and/or stored within the datastore 117. The NSRL includes a digital fingerprint of all softwareanalyzed by NIST, which may be stored as a hash that uniquely identifieseach file. The reference data set provided by NIST that includes alisting of each hash of all known software. The reference data set isupdated periodically and may be downloaded and stored within the datastore 117. In some cases, a download of the reference data set mayinitiate the KDFMR repository and analysis engine to re-analyze eachartifact or artifact record to update records of known files and knowndeployed files stored in the data stores 113 and 117. The data store 117may store metadata on computer files which can be used to uniquelyidentify the files and their provenance. For example, the metadata mayinclude cryptographic hash values (e.g., a MD5 hash, a SHA-1 hash, aSHA-256 hash, and the like) of the file's content to uniquely identifythe file even if, for example, it has been renamed. The metadata mayfurther include data about the file's origin, including the softwarepackage(s) containing the file and the manufacturer of the package, afile's original name and size. and the like. The data store 117 maystore information identifying whether a file is “known”, not necessarilywhether the file is “known-good” or “known-bad”. The data store 117 maystore hashes and other metadata associated with valid “safe”applications and associated with applications traditionally viewed asbeing malicious (e.g., encryption tools, steganography tools, maliciousaccess tools, and the like). In some cases, the analysis engine 116 mayutilize the data store 117 information to perform approximate matchingto assess and/or quantify a relationship between files. For example, theanalysis engine 116 may utilize one or more resemblance query algorithmsand/or containment query algorithms. For example, the analysis engine116 may perform operations such as object similarity detection, crosscorrelation, embedded object detection, fragment detection and the like.In some cases, the analysis may use bytewise matching techniques,syntactic matching techniques, semantic matching techniques, fuzzyhashing techniques, and the like. In some cases, internal developmentgroups and/or trusted vendors may provide known good versions ofapplications and/or artifacts and its associated metadata. In some casessuch known-good metadata may be included in an update to the data store117.

The software distribution point 120 may comprise deployment managementapplication(s) installed and running on a host computing device that mayinclude one or ore processors 124, a communication interface 122 tofacilitate communication via the network 105, and memory 126 storing oneor more artifacts associated with software deployed within an enterprisecomputing network, such as the computing environment 100. The SDP 120may be used to deliver content to a plurality of client computingdevices (e.g., the host computing devices 180) via the network. Forexample, when a client computing device needs to download a newoperating system, an application, driver, or a portion of an applicationor a software package, the client computing device contacts the SDP 120.In some cases, the SDP may manage deployment artifacts (e.g., theartifacts 123, 127) stored in memory and that may be provided by one ormore different sources, either known or unknown, such as the softwaresource computing systems 170. The deployment artifact may be applicationcode, or other information, as it runs in production which has beencompiled, built, bundled, minified, and/or optimized. In some cases,each artifact 123 may be stored as a single binary file. In some cases,the artifact may comprise one or more container files that may eachstore one or more different artifacts compressed, such as in an archivefile format. Each artifact file may be associated with a particularversion or build and may be configured to be deployed quickly within anetwork and run with no service interruption, or a minimum of serviceinterruption. Artifact-based deployment comes with many advantages as itallows quick to deploy, allows instant rollback, provides backups thatare available and ready to run. Artifacts allow for running the exactsame code on every environment so that deployment becomes aconfiguration issue. Because of this malicious users or organizationsand/or inside threats may attempt to leverage artifacts and/or softwaredistribution points to improperly access enterprise computing networks.

The sandbox computing system 130 may include a communication interface132, one or more processors 134 and one or more virtual environment,such as the virtual environment 136.

In some cases, the known-deployed file metadata repository and analysisserver 110 may identify one or more newly modified or downloadedartifacts stored on the software distribution point 120. Afteridentifying the presence of unknown, modified, or new artifacts, theanalysis engine 116 may cause the deployment of one or more suspectartifacts 133 within the virtual environment 136, with or withoutadditional or corresponding applications 135. The secure sandboxcomputing environment may be used to isolate the deployed suspectartifact from the protected networks (e.g., the enterprise computingnetwork) and the host computing devices 180. Within the sandboxedcomputing environment, the analysis engine 116 or other monitoringsoftware packages may monitor the deployed artifact(s)t for malicious orpotentially malicious activity. An artifact hash may be used to identifyand/or track the artifact activity and testing, and may be used toclassify each artifact as being “known-good”, “known-bad”, indeterminateand the like. each hash may be compared to information stored in a datastore containing hashes of previously accessed content. In some cases,the hashes stored in one or more data stores may be categorized, such aswith a category being associated with content that is safe to access,content including potentially malicious content, as malicious content,and the like. In some cases, the malicious content may further becategorized, such as with respect to a severity of harm that may beinflicted on the security, integrity, and/or operation computing devicesacross the enterprise computing system.

Additionally or alternatively to detonation of files to determinemalicious or suspicious activity associated with the files, the sandboxcomputing system 130 may use file detonation to identify artifactsand/or traces of known-deployed files and indications as to how suchfiles are used. For example, the file artifacts obtained throughdetonation of files by the sandbox computing system 130 may be used toeliminate traces of expected behavior of known-deployed files and,therefore, remove these from investigation for malicious activity. Suchelimination of know-deployed files is particularly relevant toidentification of LOLBAS, because the file artifacts may have benignexpected uses and/or may be associated with Autostart Execution Point(ASEP) entries, or other commands that are initiated automatically uponstartup of a computing device. and high volume ASEPs that are as aresult of deployment. As such, identifying known-deployed filesminimizes the number of traces and/or artifacts that need to be reviewedby security computing systems or security analysts because a largeamount of benign activity would already be identified and accounted for.

FIG. 2 shows an illustrative method 200 for generation and use of aknown-deployed file repository in accordance with one or more aspectsdescribed herein. At 210, the KDFMR analysis engine 116, once the SDP120 is accessible and is storing one or more artifacts 123, 127, mayenumerate available deployed artifact files. The analysis engine 116 mayenumerate the artifact s 123, 127 by reference to a catalog provided bythe SDP, where present. In some cases, the analysis engine 116 may, ifthe SDP 120 implements a native file share (e.g., an operation systemfile share), perform a directory listing or equivalent. At 220, theanalysis engine 116 may identify newly added artifacts 127. For example,the analysis engine 116 may compare the enumerated file listing withtheir respective SDP platform paths and/or logical locations and anyassociated metadata available from a catalog or directory listing thatindicates last modified/created dates or the like, to information storedin the data stores 113, 117. For example, the analysis engine maycompare the artifact metadata against any previously stored values,statuses, and may store or modify such details for those that have notalready been acquired. In some cases, the analysis engine 116 may updatethe data stores with metadata indicating a change since a lastacquisition.

At 225, the analysis engine 116 may determine whether new or modifiedartifacts 127 have been found. If not, the process ends at 228. If, at225, the analysis engine 116 identifies modified files, at 230 theanalysis engine 126 may log any SDP logical locations that have beennewly stored or modified and may be passed to the appropriate modulewithin KDFMR that is registered as providing file acquisition functionsfor the SDP technology, e.g., a SDP communication technology enabledmodule, function, application programming interface or the like. At 240,the analysis engine 116 may acquire each file and may then pass the fileto a module that is able to confirm whether the artifact file is acontainer file format (e.g., a format that is known to contain otherfiles or artifacts including but not limited to disk image formats,archives compresses or otherwise, portable executables, compounddocument formats, and the like) or whether the file is atomic and doesnot contain other files.

At 250, for each file acquired directly from the SDP that is atomic or acontainer file, the analysis engine 116 may process the file tocalculate and/or extract the required metadata. This metadata mayinclude, but not be limited to, cryptographic hashes, checksums, filesignatures, sizes, file magic bytes and the like. The analysis engine116 may store the metadata in one or both of the data stores 113, 117and may link the metadata and the artifact file to its SDP logicallocation. At 255, the analysis engine 116 analyzes each file todetermine whether a file is atomic or a container file. If so, at 260,for each file that is contained within a container, the previous stepsmay be repeated recursively to determine whether a particular file is acontainer file or an atomic file. If, at 265, a last file has not beenreached, then at 270 the analysis engine 116 may generate and storemetadata with respect to a relative path of a contained file extractedfrom the container file with respect to a location where its top-mostcontainer file is stored—rather than to a reference to the SDP logicallocation. In some cases, a cryptographic hash of a container file'stop-most container and the file's immediate container may be stored toenable metadata that already exists for a given container to be usedrather than requiring the analysis engine 116 to perform re-extractionand recalculation. If for a given contained container file, acryptographic hash entry already exists, recursive extraction andmetadata generation can cease for this file.

In some cases, the enumeration of available deployed files on the SDP120 may be scheduled such that the KDFMR analysis engine 116 mayperiodically (e.g., daily, weekly, hourly, and the like) check for newor modified deployed files, thereby maintaining a currency of the KDFMRdata stored in the data stores 113, 117 with respect to the actualdeployed files available from the SDP 120.

In some cases, the analysis engine 116 may perform additional steps whenthe SDP technology has expanded functionality, either by design or dueto features, and/or based on features for a storage mechanism used bythe SDP 120 to host its files. For example, the SDP 120 may provide log,alert, message, or other notification upon the addition or modificationof a deployed file that can be made accessible to the KDFMR upon whichthe process above is initiated specifically for that file or files. Insome cases, a storage mechanism employed by the SDP 120 to host itsfiles may provide audit settings to generate and/or otherwise makeavailable an event specifying a location of a created or modified fileupon such occurrence. This event may be collected by another system(e.g., a monitoring application) that is configured to notify the KDFMRsystem upon receipt or identification of a file creation by the SDP 120,which may then trigger the analysis engine to perform the above processfor that file or files.

In some cases, additional to or as part of a metadata generation processor as a separate process to stored data in the data stores 113, 117, theanalysis engine 116 may enrich the artifact file metadata with labels toidentify a functionality associated with the artifact. For example, suchinformation may indicate that an artifact file may be known to also beused for adversary purposes (e.g., an artifact file is labeled as aLOLBAS). In some cases, this information may be further extended withadditional metadata such as references to thesauri, taxonomies,ontologies and/or other reference materials that may further detailadversary employment of such artifacts. Such information may include,but not be limited to, techniques, tactics, and procedures (TTPs) wherethe artifact is either necessary for or sufficient to obtain theadversarial objective. In some cases, the information may serve aspecific and/or a limited purpose within the computing environment orwithin a specified computing business context in which the hostendpoints to which it is intended to be deployed operate. Suchinformation may be used to add further context to the artifactfunctionality including, but not limited to, identifying whether theartifact is expected to be found on a particular class or category ofhost endpoint, whether it has ongoing approval for use, business andtechnical ownership, whether the artifact has an association with higherlevel business applications or components, and/or whether the artifacthas a status of known security vulnerabilities and/or vendor support.

In some cases, the KDFMR and analysis server 110 may expose anapplication programming interface (API) to provide functions that allowexternal systems to query the KDFMR data store 113 and/or the data store117 for reference to atomic value and/or sets of values, identificationand/or extraction of patterns within values, and/or functions accordingto other logic that is available in the chosen implementation languagesand data storage technologies via a custom programming interface.

In some cases, the KDFMR and analysis server 110 may be configured tosynchronize or communicate a copy or a subset of its stored metadata toan external analytic platform or platforms such as a log managementsystem, a security information and event management (STEM) system,and/or other data processing or storage system, either periodically orupon generation of new or changed metadata entries. Such functionalitymay enable the KDFMR data to be used as an enrichment data set, filtercriteria, search criteria, and/or otherwise may be used analyticallywithin the target platform against existing security events and data. Anadvantage of the KDFMR and analysis server 110 is, at least in part, dueto what is not stored in its database as much as what it does. Forexample, the KDFMR data does not have references to files that may onlybe ‘known’ (e.g. information obtained from NSRL) and which may bepresent on a host in the environment. As such, known files that are notavailable via the SDP 120, as opposed to known-deployed files availablevia the SDP 120, allows the KDFMR and analysis server 110 to concludethat a particular file, while ‘known’, was introduced to a host throughmethods other than via approved software distribution practices and/orthe SDP 120. Because the file is not ‘known-deployed’ the presence ofthese ‘known’ files represents manual intervention, adversary ormalicious activity, or a policy breach, or the like. These distinctionsmay be missed through present analysis techniques, allowing the theseimproperly present ‘known’ files to be missed because the negativeresponses to such queries (e.g., identification of unknown files) havebeen the main focus of the present analysis.

In some cases, the KDFMR and analysis server 110 may send, at 280, theacquired files to a security sandbox device (e.g., the sandbox computingsystem 130) for detonation and/or may store the resultant traces andadditional metadata obtained from such detonations of files linked tothe artifact entries existing in the KDFMR 113. In the case of filesthat include disk images, such files may provide an additional basis ofthe sandboxed execution environment in cases where the disk image isself-contained so that production infrastructure may not be requiredoutside of the sandbox for further configuration or if a preconfiguredsandbox machine with the disk image applied is available for use. Ineach case, this metadata may be further processed by the KDFMR andanalysis server to, for example at 290, generate lists of known paths,system entries and/or filenames as the deployed artifacts would appearon a host endpoint, normalizing for variable locations such as userdirectories or deterministically generated paths and names, particularlywhere this is different to those paths within a given Container File dueto renaming and/or host configuration operations. In doing so, theanalysis engine 116 may detect a file masquerading (e.g., such as wherean adversary uses a known-deployed file name for completelydifferent/adversarial content) as an allowed file. In some cases, theanalysis engine may identify renaming of known LOLBAS files that mayotherwise cause their usage to be missed by an analyst if referring tofilename alone. In some cases, the analysis engine may link event logentries, network activity and/or artifact metadata that is onlyavailable during dynamic execution to the a particular KDFMR entry of anartifact. In doing so, the analysis engine may normalize paths,locations and/or other attributes that are variable according to thehost endpoint or user associated with the detonation of a file. Thisadditional metadata allows the analysis engine to compare expected eventlog entries, network traffic and dynamic metadata against those actuallyobserved in the environment, thus facilitating detection of unusualusage by allowing elimination of deployment-related activity fromanalysis, or alternatively/additionally positively confirming thatevents are related to deployment activity.

In some cases, the known deployed file metadata repository and analysisserver 110 may, after confirming a match between metadata of an artifactstored in the SDP 120 and metadata stored in the known deployed filemetadata repository 113, trigger deployment of the artifact. In somecases, deployment of files newly stored and/or newly modified on the SDP120 may be disabled pending confirmation and analysis of the filesmetadata. Once the new or modified file's metadata is updated, the KDFMRand analysis server 110 may enable distribution of the file by the SDP120, such as through an API function call or the like.

In some cases, after receiving a submitted file hash-based query, theKDFMR and analysis server 110 may process the file hash-based query andreturn a status value indicating that an information matching anexisting KDFMR record or records was found or that a match was notfound. Further, the KDFMR and analysis server 110 may return the statusvalue with or without extended metadata associated with any matchedresults. In some cases, the KDFMR and analysis server 110 may process asubmitted trace artifact criteria-based query where a normalized versionof a particular trace artifact (e.g. a registry entry, file path on ahost, and the like) is matched against sandbox traces for known-deployedfiles stored in the KDFMR data store. The KDFMR and analysis server 110may then return a list of file metadata entries when a match or matcheswere found or may return an indication that a match was not found. Insome cases, the KDFMR and analysis server 110 may process a combinedfile hash and trace criteria query such that the KDFMR and analysisserver 110 may return a list of file metadata entries is returned whenboth the file hash and the normalized version of the corresponding traceartifact match a sandbox trace for a known-deployed file or files or mayreturn an indication that a match was not found. In some cases, theKDFMR and analysis server 110 may process a file that may be a containerfile (e.g., a disk image) in a query-only mode, such that a status ofthe file or files may be returned but the KDFMR may not be updated. Insuch cases, the KDFMR and analysis server 110 treats the processed fileas being of unknown provenance because the file was not acquired fromthe SDP 120. Here, the KDFMR and analysis server 110 may determinewhether the container file or may identify whether one or moreparticular files, or all contained files, of the container file may beknown-deployed and/or may determine whether one or more particularfiles, or all contained files, of the container files are not. With thisquery, the file being analyzed may be sourced from a host underinvestigation. In some cases, the container file query may be structuredsimilarly to a file hash-based query, a trace artifact query, and/or asboth a file hash-based query and a trace artifact query, but withoutrequiring the query criteria to include the hashes and/or paths, becausethese may be calculated from the processed file.

FIG. 3 shows an illustrative operating environment in which variousaspects of the present disclosure may be implemented in accordance withone or more example embodiments. Referring to FIG. 3, a computing systemenvironment 300 may be used according to one or more illustrativeembodiments. The computing system environment 300 is only one example ofa suitable computing environment and is not intended to suggest anylimitation as to the scope of use or functionality contained in thedisclosure. The computing system environment 300 should not beinterpreted as having any dependency or requirement relating to any oneor combination of components shown in the illustrative computing systemenvironment 300.

The computing system environment 300 may include an illustrativesteganographic communications analysis engine 301 having a processor 303for controlling overall operation of the steganographic communicationsanalysis engine 301 and its associated components, including aRandom-Access Memory (RAM) 305, a Read-Only Memory (ROM) 307, acommunications module 309, and a memory 315. The steganographiccommunications analysis engine 301 may include a variety of computerreadable media. Computer readable media may be any available media thatmay be accessed by the steganographic communications analysis engine301, may be non-transitory, and may include volatile and nonvolatile,removable and non-removable media implemented in any method ortechnology for storage of information such as computer-readableinstructions, object code, data structures, program modules, or otherdata. Examples of computer readable media may include Random AccessMemory (RAM), Read Only Memory (ROM), Electronically ErasableProgrammable Read-Only Memory (EEPROM), flash memory or other memorytechnology, Compact Disk Read-Only Memory (CD-ROM), Digital VersatileDisk (DVD) or other optical disk storage, magnetic cassettes, magnetictape, magnetic disk storage or other magnetic storage devices, or anyother medium that can be used to store the desired information and thatcan be accessed by the steganographic communications analysis engine301.

Although not required, various aspects described herein may be embodiedas a method, a data transfer system, or as a computer-readable mediumstoring computer-executable instructions. For example, acomputer-readable medium storing instructions to cause a processor toperform steps of a method in accordance with aspects of the disclosedembodiments is contemplated. For example, aspects of method stepsdisclosed herein may be executed by the processor 303 of thesteganographic communications analysis engine 301. Such a processor mayexecute computer-executable instructions stored on a computer-readablemedium.

Software may be stored within the memory 315 and/or other digitalstorage to provide instructions to the processor 303 for enabling thesteganographic communications analysis engine 301 to perform variousfunctions as discussed herein. For example, the memory 315 may storesoftware used by the steganographic communications analysis engine 301,such as an operating system 317, one or more application programs 319,and/or an associated database 321. In addition, some or all of thecomputer executable instructions for the steganographic communicationsanalysis engine 301 may be embodied in hardware or firmware. Althoughnot shown, the RAM 305 may include one or more applications representingthe application data stored in the RAM 305 while the steganographiccommunications analysis engine 301 is on and corresponding softwareapplications (e.g., software tasks) are running on the steganographiccommunications analysis engine 301.

The communications module 309 may include a microphone, a keypad, atouch screen, and/or a stylus through which a user of the steganographiccommunications analysis engine 301 may provide input, and may includeone or more of a speaker for providing audio output and a video displaydevice for providing textual, audiovisual and/or graphical output. Thecomputing system environment 300 may also include optical scanners (notshown).

The steganographic communications analysis engine 301 may operate in anetworked environment supporting connections to one or more remotecomputing devices, such as the computing devices 341 and 351. Thecomputing devices 341 and 351 may be personal computing devices orservers that include any or all of the elements described above relativeto the steganographic communications analysis engine 301.

The network connections depicted in FIG. 3 may include a Local AreaNetwork (LAN) 325 and/or a Wide Area Network (WAN) 329, as well as othernetworks. When used in a LAN networking environment, the steganographiccommunications analysis engine 301 may be connected to the LAN 325through a network interface or adapter in the communications module 309.When used in a WAN networking environment, the steganographiccommunications analysis engine 301 may include a modem in thecommunications module 309 or other means for establishing communicationsover the WAN 329, such as a network 331 (e.g., public network, privatenetwork, Internet, intranet, and the like). The network connectionsshown are illustrative and other means of establishing a communicationslink between the computing devices may be used. Various well-knownprotocols such as Transmission Control Protocol/Internet Protocol(TCP/IP), Ethernet, File Transfer Protocol (FTP), Hypertext TransferProtocol (HTTP) and the like may be used, and the system can be operatedin a client-server configuration to permit a user to retrieve web pagesfrom a web-based server. Any of various conventional web browsers can beused to display and manipulate data on web pages.

The disclosure is operational with numerous other computing systemenvironments or configurations. Examples of computing systems,environments, and/or configurations that may be suitable for use withthe disclosed embodiments include, but are not limited to, personalcomputers (PCs), server computers, hand-held or laptop devices, smartphones, multiprocessor systems, microprocessor-based systems, set topboxes, programmable consumer electronics, network PCs, minicomputers,mainframe computers, distributed computing environments that include anyof the above systems or devices, and the like that are configured toperform the functions described herein.

FIG. 4 shows an illustrative block diagram of workstations and serversthat may be used to implement the processes and functions of certainaspects of the present disclosure in accordance with one or more exampleembodiments. For example, an illustrative system 400 may be used forimplementing illustrative embodiments according to the presentdisclosure. As illustrated, the system 400 may include one or moreworkstation computers 401. The workstation 401 may be, for example, adesktop computer, a smartphone, a wireless device, a tablet computer, alaptop computer, and the like, configured to perform various processesdescribed herein. The workstations 401 may be local or remote, and maybe connected by one of the communications links 402 to a computernetwork 403 that is linked via the communications link 405 to thesteganographic communications analysis server 404. In the system 400,the steganographic communications analysis server 404 may be a server,processor, computer, or data processing device, or combination of thesame, configured to perform the functions and/or processes describedherein. The steganographic communications analysis server 404 may beused to monitor network communications, identify potential instances ofsteganographic communications, quarantine suspected compromised device,generate alerts, and the like.

The computer network 403 may be any suitable computer network includingthe Internet, an intranet, a Wide-Area Network (WAN), a Local-AreaNetwork (LAN), a wireless network, a Digital Subscriber Line (DSL)network, a frame relay network, an Asynchronous Transfer Mode network, aVirtual Private Network (VPN), or any combination of any of the same.The communications links 402 and 405 may be communications linkssuitable for communicating between the workstations 401 and thesteganographic communications analysis server 404, such as networklinks, dial-up links, wireless links, hard-wired links, as well asnetwork types developed in the future, and the like.

One or more aspects of the disclosure may be embodied in computer-usabledata or computer-executable instructions, such as in one or more programmodules, executed by one or more computers or other devices to performthe operations described herein. Generally, program modules includeroutines, programs, objects, components, data structures, and the likethat perform particular tasks or implement particular abstract datatypes when executed by one or more processors in a computer or otherdata processing device. The computer-executable instructions may bestored as computer-readable instructions on a computer-readable mediumsuch as a hard disk, optical disk, removable storage media, solid-statememory, RAM, and the like. The functionality of the program modules maybe combined or distributed as desired in various embodiments. Inaddition, the functionality may be embodied in whole or in part infirmware or hardware equivalents, such as integrated circuits,Application-Specific Integrated Circuits (ASICs), Field ProgrammableGate Arrays (FPGA), and the like. Particular data structures may be usedto more effectively implement one or more aspects of the disclosure, andsuch data structures are contemplated to be within the scope of computerexecutable instructions and computer-usable data described herein.

Various aspects described herein may be embodied as a method, anapparatus, or as one or more computer-readable media storingcomputer-executable instructions. Accordingly, those aspects may takethe form of an entirely hardware embodiment, an entirely softwareembodiment, an entirely firmware embodiment, or an embodiment combiningsoftware, hardware, and firmware aspects in any combination. Inaddition, various signals representing data or events as describedherein may be transferred between a source and a destination in the formof light or electromagnetic waves traveling through signal-conductingmedia such as metal wires, optical fibers, or wireless transmissionmedia (e.g., air or space). In general, the one or morecomputer-readable media may be and/or include one or more non-transitorycomputer-readable media.

As described herein, the various methods and acts may be operativeacross one or more computing servers and one or more networks. Thefunctionality may be distributed in any manner, or may be located in asingle computing device (e.g., a server, a client computer, and thelike). For example, in alternative embodiments, one or more of thecomputing platforms discussed above may be combined into a singlecomputing platform, and the various functions of each computing platformmay be performed by the single computing platform. In such arrangements,any and/or all of the above-discussed communications between computingplatforms may correspond to data being accessed, moved, modified,updated, and/or otherwise used by the single computing platform.Additionally or alternatively, one or more of the computing platformsdiscussed above may be implemented in one or more virtual machines thatare provided by one or more physical computing devices. In sucharrangements, the various functions of each computing platform may beperformed by the one or more virtual machines, and any and/or all of theabove-discussed communications between computing platforms maycorrespond to data being accessed, moved, modified, updated, and/orotherwise used by the one or more virtual machines.

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one or more of the steps depicted in theillustrative figures may be performed in other than the recited order,one or more steps described with respect to one figure may be used incombination with one or more steps described with respect to anotherfigure, and/or one or more depicted steps may be optional in accordancewith aspects of the disclosure.

1. A method comprising: receiving, via a computing network, a signalindicating storage of a file a software distribution point (SDP)computing system, wherein the signal is automatically generated by theSDP computing system based on saving of at least one file; enumerating,by a known deployed file metadata analysis engine, available filesstored on the SDP computing system; retrieving, based on a comparison ofenumerated files to logical paths associated with the SDP computingsystem to identify one or more new files and by the known deployed filemetadata analysis engine from the SDP computing system via a network,the one or more new files; extracting, by the known deployed filemetadata analysis engine, metadata from each of the one or more newfiles; recursively extracting, based on an indication that a file of theone or more new files is a container file and by the known deployed filemetadata analysis engine, metadata from each file stored in thecontainer file of the one or more new files; identifying, by the knowndeployed file metadata analysis engine, a match of metadata of a file ofthe one or more new files and metadata stored in a data store comprisinginformation stored of “known-good” files; updating, by the knowndeployed file metadata analysis engine, the matched metadata with anindication that the file is “known-deployed”; and triggering, by theknown deployed file metadata analysis engine, synchronization of storedmetadata to an external computing system based on the update of thematched metadata.
 2. The method of claim 1, wherein recursivelyextracting metadata from each file stored in the container file of theone or more new files comprises: calculating a first cryptographic hashof a topmost container of the container file and a second cryptographichash of an immediate second container adjacent the topmost container;halting, by the known deployed file metadata analysis engine, recursivefile extraction and metadata generation for the container file based onan indication of a match between the first cryptographic hash or thesecond cryptographic hash to metadata stored in the data store.
 3. Themethod of claim 1, comprising scheduling, by the known deployed filemetadata analysis engine, analysis of the files stored on the SDP on aperiodic basis.
 4. The method of claim 1, comprising triggering, by theknown deployed file metadata analysis engine, analysis of the filesstored on the SDP based on an indication that a modified file has beensaved.
 5. The method of claim 1, comprising triggering, by the knowndeployed file metadata analysis engine, analysis of the files stored onthe SDP based on an indication that a new file has been saved.
 6. Themethod of claim 1, comprising: receiving, via the computing network, anelectronic message comprising a hash value of a file; identifying, bythe known deployed file metadata analysis engine based on receipt of theelectronic message, metadata associated with files stored in aknown-deployed file data store, wherein the files correspond to a matchof the received hash value; sending, via the computing network by theknown deployed file metadata analysis engine and based on an identifiedmatch, a first electronic response message comprising an indication of aconfirmed match to the received hash value; and sending, via thecomputing network by the known deployed file metadata analysis engineand based on a failure to identify a match to the received hash value, asecond electronic response message comprising an indication of a failureto match the received hash value.
 7. The method of claim 1, comprisingenriching the file metadata stored in the data store with semanticlabels to identify whether a file is known to be used for adversarypurposes.
 8. The method of claim 1 comprising enriching the filemetadata stored in the data store with semantic labels to identifywhether a file serves a specific purpose within the enterprise computingenvironment.
 9. A system comprising: a software distribution point (SDP)computing system comprising memory storing a plurality of files; aknown-deployed file metadata analysis server comprising: a processor;and non-transitory memory storing instructions that, when executed bythe processor, causes the known-deployed file metadata analysis serverto: enumerate, based on an indication received from the SDP computingsystem that indicates at least one file has been created, availablefiles stored on the SDP computing system; compare enumerated files tological paths associated with the SDP computing system to identify oneor more new files; retrieve, from the SDP computing system via anetwork, the one or more new files; extract metadata from each of theone or more new files; recursively extract, based on an indication thata file of the one or more new files is a container file, metadata fromeach file stored in the container file of the one or more new files;identify a match of metadata of a file of the one or more new files andmetadata stored in a data store comprising information stored of“known-good” files; update the matched metadata with an indication thatthe file is “known-deployed”; and trigger synchronization of storedmetadata to an external computing system based on the update of thematched metadata.
 10. The system of claim 9, wherein the instructionsfurther cause the known-deployed file metadata analysis server to:calculate a first cryptographic hash of a topmost container of thecontainer file and a second cryptographic hash of an immediate secondcontainer adjacent the topmost container; and halt recursive fileextraction and metadata generation for the container file based on anindication of a match between the first cryptographic hash or the secondcryptographic hash to metadata stored in the data store.
 11. The systemof claim 9, wherein the instructions further cause the known-deployedfile metadata analysis server to schedule analysis of the files storedon the SDP on a periodic basis.
 12. The system of claim 9, wherein theinstructions further cause the known-deployed file metadata analysisserver to trigger analysis of the files stored on the SDP based on anindication that a modified file has been saved.
 13. The system of claim9, wherein the instructions further cause the known-deployed filemetadata analysis server to trigger analysis of the files stored on theSDP based on an indication that a new file has been saved.
 14. Thesystem of claim 13, wherein the instructions further cause theknown-deployed file metadata analysis server to trigger analysis of thenew file based on the indication that the new file has been saved. 15.The system of claim 9, wherein the instructions further cause theknown-deployed file metadata analysis server to enrich the file metadatastored in the data store with semantic labels to identify whether a fileis known to be used for adversary purposes.
 16. The system of claim 9,wherein the instructions further cause the known-deployed file metadataanalysis server to enrich the file metadata stored in the data storewith semantic labels to identify whether a file serves a specificpurpose within the enterprise computing environment.
 17. Non-transitorycomputer-readable media storing instructions that, when executed by acomputing device comprising at least one processor, memory, and acommunication interface, cause the computing device to: enumerate, basedon an indication received from the SDP computing system that indicatesat least one file has been created, available files stored on the SDPcomputing system; compare enumerated files to logical paths associatedwith the SDP computing system to identify one or more new files;retrieve, from the SDP computing system via a network, the one or morenew files; extract metadata from each of the one or more new files;recursively extract, based on an indication that a file of the one ormore new files is a container file, metadata from each file stored inthe container file of the one or more new files; identify a match ofmetadata of a file of the one or more new files and metadata stored in adata store comprising information stored of “known-good” files; updatethe matched metadata with an indication that the file is“known-deployed”; and trigger synchronization of stored metadata to anexternal computing system based on the update of the matched metadata.18. The non-transitory computer readable media of claim 17, wherein theinstructions further cause the computing device to: calculate a firstcryptographic hash of a topmost container of the container file and asecond cryptographic hash of an immediate second container adjacent thetopmost container; and halt recursive file extraction and metadatageneration for the container file based on an indication of a matchbetween the first cryptographic hash or the second cryptographic hash tometadata stored in the data store.
 19. The non-transitory computerreadable media of claim 17, wherein the instructions further cause thecomputing device to schedule analysis of the files stored on the SDP ona periodic basis.
 20. The non-transitory computer readable media ofclaim 17, wherein the instructions further cause the computing device totrigger analysis of the new file based on the indication that the newfile has been saved.